From 7aff58f9f7d46a5a8c2b4462338ad0f1a5551e2f Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 2 Apr 2026 11:24:05 -0700 Subject: [PATCH 01/13] fix: validate encryption materials from cmm are compatible with commitment policy --- src/aws_encryption_sdk/streaming_client.py | 2 + test/functional/test_f_commitment.py | 56 ++++++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/src/aws_encryption_sdk/streaming_client.py b/src/aws_encryption_sdk/streaming_client.py index 271b2ab70..6059510ea 100644 --- a/src/aws_encryption_sdk/streaming_client.py +++ b/src/aws_encryption_sdk/streaming_client.py @@ -453,6 +453,8 @@ def _prep_message(self): request=encryption_materials_request ) + validate_commitment_policy_on_encrypt(self.config.commitment_policy, self._encryption_materials.algorithm) + if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm: raise ActionNotAllowedError( ( diff --git a/test/functional/test_f_commitment.py b/test/functional/test_f_commitment.py index fdfe281ae..d6defd242 100644 --- a/test/functional/test_f_commitment.py +++ b/test/functional/test_f_commitment.py @@ -225,3 +225,59 @@ def test_encrypt_with_uncommitting_algorithm_require_decrypt(): with pytest.raises(ActionNotAllowedError) as excinfo: decrypting_client.decrypt(source=ciphertext, key_provider=key_provider) excinfo.match("Configuration conflict. Cannot decrypt due to .* requiring only committed messages") + + +def test_encrypt_with_require_policy_fail_when_retrieving_invalid_cmm_materials(): + """Tests that when a client with a require policy shares a cache with a client with a forbid policy + an error gets thrown due to invalid materials retrieved from cmm""" + forbid_encrypting_client = aws_encryption_sdk.EncryptionSDKClient( + commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT + ) + required_encrypting_client = aws_encryption_sdk.EncryptionSDKClient( + commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT + ) + + provider = StaticRawMasterKeyProvider( + wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING, + encryption_key_type=EncryptionKeyType.SYMMETRIC, + key_bytes=b"\00" * 32, + ) + provider.add_master_key("KeyId") + cache = aws_encryption_sdk.LocalCryptoMaterialsCache(capacity=10) + ccmm = aws_encryption_sdk.CachingCryptoMaterialsManager( + master_key_provider=provider, cache=cache, max_age=3600.0, max_messages_encrypted=5 + ) + plaintext = b"Yellow Submarine" + + ciphertext, _ = forbid_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm) + with pytest.raises(ActionNotAllowedError) as excinfo: + required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm) + excinfo.match("Configuration conflict. Cannot encrypt due to .* requiring only committed messages") + + +def test_encrypt_with_forbid_policy_fail_when_retrieving_invalid_cmm_materials(): + """Tests that when a client with a forbid policy shares a cache with a client with a require policy + an error gets thrown due to invalid materials retrieved from cmm""" + forbid_encrypting_client = aws_encryption_sdk.EncryptionSDKClient( + commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT + ) + required_encrypting_client = aws_encryption_sdk.EncryptionSDKClient( + commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT + ) + + provider = StaticRawMasterKeyProvider( + wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING, + encryption_key_type=EncryptionKeyType.SYMMETRIC, + key_bytes=b"\00" * 32, + ) + provider.add_master_key("KeyId") + cache = aws_encryption_sdk.LocalCryptoMaterialsCache(capacity=10) + ccmm = aws_encryption_sdk.CachingCryptoMaterialsManager( + master_key_provider=provider, cache=cache, max_age=3600.0, max_messages_encrypted=5 + ) + plaintext = b"Yellow Submarine" + + ciphertext, _ = required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm) + with pytest.raises(ActionNotAllowedError) as excinfo: + forbid_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm) + excinfo.match("Configuration conflict. Cannot encrypt due to .* requiring only non-committed messages.") From d006e52c5a4df5fa6600373960102562bf39d99c Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 14:06:11 -0700 Subject: [PATCH 02/13] limit ci tests to python 3.12 --- .github/workflows/ci_test-vector-handler.yaml | 2 +- .github/workflows/ci_tests.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci_test-vector-handler.yaml b/.github/workflows/ci_test-vector-handler.yaml index 8a142096d..0d96def3e 100644 --- a/.github/workflows/ci_test-vector-handler.yaml +++ b/.github/workflows/ci_test-vector-handler.yaml @@ -22,7 +22,7 @@ jobs: - macos-12 python: - 3.8 - - 3.x + - "3.12" architecture: - x64 - x86 diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index e1a13c334..9aa8b5f65 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -33,7 +33,6 @@ jobs: - "3.10" - "3.11" - "3.12" - - 3.x architecture: - x64 - x86 From 29cccaeeea2f272244ff8b0f21237194041c9369 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 14:19:28 -0700 Subject: [PATCH 03/13] fix ci tests --- dev_requirements/linter-requirements.txt | 1 + src/aws_encryption_sdk/streaming_client.py | 2 +- src/pylintrc | 1 + test/functional/test_f_commitment.py | 8 ++++---- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/dev_requirements/linter-requirements.txt b/dev_requirements/linter-requirements.txt index 1295e522d..188f43dab 100644 --- a/dev_requirements/linter-requirements.txt +++ b/dev_requirements/linter-requirements.txt @@ -6,6 +6,7 @@ flake8-bugbear==22.9.11 flake8-docstrings==1.7.0 flake8-print==5.0.0 isort==5.11.4 +pbr==2.0.0 # needed due to to bandit pyflakes==2.4.0 pylint==2.13.5 readme_renderer==37.3 diff --git a/src/aws_encryption_sdk/streaming_client.py b/src/aws_encryption_sdk/streaming_client.py index 6059510ea..5d486f680 100644 --- a/src/aws_encryption_sdk/streaming_client.py +++ b/src/aws_encryption_sdk/streaming_client.py @@ -454,7 +454,7 @@ def _prep_message(self): ) validate_commitment_policy_on_encrypt(self.config.commitment_policy, self._encryption_materials.algorithm) - + if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm: raise ActionNotAllowedError( ( diff --git a/src/pylintrc b/src/pylintrc index d187a5ea8..0a9dd4f3c 100644 --- a/src/pylintrc +++ b/src/pylintrc @@ -10,6 +10,7 @@ disable = attribute-defined-outside-init, # breaks with attrs_post_init abstract-method, # throws false positives on io.BaseIO grandchildren redefined-outer-name, # we do this on purpose in multiple places + too-many-positional-arguments, # on 2026-04-17 aws_encryption_sdk_decrypt_oracle started failing because of this # All below are disabled because we need to support Python 2 useless-object-inheritance, raise-missing-from, diff --git a/test/functional/test_f_commitment.py b/test/functional/test_f_commitment.py index d6defd242..9dfa2287d 100644 --- a/test/functional/test_f_commitment.py +++ b/test/functional/test_f_commitment.py @@ -236,7 +236,7 @@ def test_encrypt_with_require_policy_fail_when_retrieving_invalid_cmm_materials( required_encrypting_client = aws_encryption_sdk.EncryptionSDKClient( commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) - + provider = StaticRawMasterKeyProvider( wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING, encryption_key_type=EncryptionKeyType.SYMMETRIC, @@ -249,7 +249,7 @@ def test_encrypt_with_require_policy_fail_when_retrieving_invalid_cmm_materials( ) plaintext = b"Yellow Submarine" - ciphertext, _ = forbid_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm) + _, _ = forbid_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm) with pytest.raises(ActionNotAllowedError) as excinfo: required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm) excinfo.match("Configuration conflict. Cannot encrypt due to .* requiring only committed messages") @@ -264,7 +264,7 @@ def test_encrypt_with_forbid_policy_fail_when_retrieving_invalid_cmm_materials() required_encrypting_client = aws_encryption_sdk.EncryptionSDKClient( commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) - + provider = StaticRawMasterKeyProvider( wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING, encryption_key_type=EncryptionKeyType.SYMMETRIC, @@ -277,7 +277,7 @@ def test_encrypt_with_forbid_policy_fail_when_retrieving_invalid_cmm_materials() ) plaintext = b"Yellow Submarine" - ciphertext, _ = required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm) + _, _ = required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm) with pytest.raises(ActionNotAllowedError) as excinfo: forbid_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm) excinfo.match("Configuration conflict. Cannot encrypt due to .* requiring only non-committed messages.") From e065f506d5e49aa6752bee2728efa3bbe6bcd7d8 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 14:28:11 -0700 Subject: [PATCH 04/13] more ci fix --- decrypt_oracle/src/pylintrc | 1 + dev_requirements/linter-requirements.txt | 1 + src/aws_encryption_sdk/streaming_client.py | 2 +- src/pylintrc | 1 - test/functional/test_f_commitment.py | 4 ++-- 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/decrypt_oracle/src/pylintrc b/decrypt_oracle/src/pylintrc index 888ae1355..b191633be 100644 --- a/decrypt_oracle/src/pylintrc +++ b/decrypt_oracle/src/pylintrc @@ -1,6 +1,7 @@ [MESSAGES CONTROL] # Disabling messages that we either don't care about for tests or are necessary to break for tests. disable = + too-many-positional-arguments, # on 2026-04-17 aws_encryption_sdk_decrypt_oracle started failing because of this ungrouped-imports, # we let isort handle this consider-using-f-string # disable until 2022-05-05; 6 months after 3.5 deprecation diff --git a/dev_requirements/linter-requirements.txt b/dev_requirements/linter-requirements.txt index 188f43dab..45f2523a8 100644 --- a/dev_requirements/linter-requirements.txt +++ b/dev_requirements/linter-requirements.txt @@ -11,4 +11,5 @@ pyflakes==2.4.0 pylint==2.13.5 readme_renderer==37.3 seed-isort-config==2.2.0 +setuptools==81.0.0 vulture==2.9.1 diff --git a/src/aws_encryption_sdk/streaming_client.py b/src/aws_encryption_sdk/streaming_client.py index 5d486f680..d5df02068 100644 --- a/src/aws_encryption_sdk/streaming_client.py +++ b/src/aws_encryption_sdk/streaming_client.py @@ -454,7 +454,7 @@ def _prep_message(self): ) validate_commitment_policy_on_encrypt(self.config.commitment_policy, self._encryption_materials.algorithm) - + if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm: raise ActionNotAllowedError( ( diff --git a/src/pylintrc b/src/pylintrc index 0a9dd4f3c..d187a5ea8 100644 --- a/src/pylintrc +++ b/src/pylintrc @@ -10,7 +10,6 @@ disable = attribute-defined-outside-init, # breaks with attrs_post_init abstract-method, # throws false positives on io.BaseIO grandchildren redefined-outer-name, # we do this on purpose in multiple places - too-many-positional-arguments, # on 2026-04-17 aws_encryption_sdk_decrypt_oracle started failing because of this # All below are disabled because we need to support Python 2 useless-object-inheritance, raise-missing-from, diff --git a/test/functional/test_f_commitment.py b/test/functional/test_f_commitment.py index 9dfa2287d..f6078197c 100644 --- a/test/functional/test_f_commitment.py +++ b/test/functional/test_f_commitment.py @@ -236,7 +236,7 @@ def test_encrypt_with_require_policy_fail_when_retrieving_invalid_cmm_materials( required_encrypting_client = aws_encryption_sdk.EncryptionSDKClient( commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) - + provider = StaticRawMasterKeyProvider( wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING, encryption_key_type=EncryptionKeyType.SYMMETRIC, @@ -264,7 +264,7 @@ def test_encrypt_with_forbid_policy_fail_when_retrieving_invalid_cmm_materials() required_encrypting_client = aws_encryption_sdk.EncryptionSDKClient( commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) - + provider = StaticRawMasterKeyProvider( wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING, encryption_key_type=EncryptionKeyType.SYMMETRIC, From e82793ec0bd59065d69b43df8c76b61c19859c1b Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 14:33:11 -0700 Subject: [PATCH 05/13] m --- dev_requirements/linter-requirements.txt | 2 +- dev_requirements/release-requirements.txt | 4 ++-- dev_requirements/test-requirements.txt | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/dev_requirements/linter-requirements.txt b/dev_requirements/linter-requirements.txt index 45f2523a8..198438a4d 100644 --- a/dev_requirements/linter-requirements.txt +++ b/dev_requirements/linter-requirements.txt @@ -12,4 +12,4 @@ pylint==2.13.5 readme_renderer==37.3 seed-isort-config==2.2.0 setuptools==81.0.0 -vulture==2.9.1 +vulture==2.9.1 \ No newline at end of file diff --git a/dev_requirements/release-requirements.txt b/dev_requirements/release-requirements.txt index 21fdc1520..6dfce7f94 100644 --- a/dev_requirements/release-requirements.txt +++ b/dev_requirements/release-requirements.txt @@ -1,4 +1,4 @@ pypi-parker==0.1.2 -setuptools==66.1.1 -twine==4.0.1 +setuptools==70.0.0 +twine==5.1.1 wheel==0.38.4 \ No newline at end of file diff --git a/dev_requirements/test-requirements.txt b/dev_requirements/test-requirements.txt index 01d7a2e2b..d5cf285bc 100644 --- a/dev_requirements/test-requirements.txt +++ b/dev_requirements/test-requirements.txt @@ -1,4 +1,4 @@ mock==4.0.3 -pytest==7.2.1 +pytest==8.0.0 pytest-cov==4.0.0 -pytest-mock==3.6.1 +pytest-mock==3.6.1 \ No newline at end of file From 6b48c32344b2f8f44c9235a43051a415ac603200 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 14:36:52 -0700 Subject: [PATCH 06/13] m --- test/unit/test_compatability.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/test_compatability.py b/test/unit/test_compatability.py index bd602c7cd..fa258f8a2 100644 --- a/test/unit/test_compatability.py +++ b/test/unit/test_compatability.py @@ -15,7 +15,7 @@ class TestWarnDeprecatedPython: def test_happy_version(self): with mock.patch.object(sys, "version_info") as v_info: v_info.major = 3 - v_info.minor = 6 + v_info.minor = 8 with pytest.warns(None) as record: _warn_deprecated_python() assert len(record) == 0 From 43150e4ef78ead63e3910f9a207e0f7ce4adb4ea Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 14:44:21 -0700 Subject: [PATCH 07/13] m --- dev_requirements/linter-requirements.txt | 2 -- dev_requirements/release-requirements.txt | 4 ++-- dev_requirements/test-requirements.txt | 2 +- test/unit/test_compatability.py | 2 +- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/dev_requirements/linter-requirements.txt b/dev_requirements/linter-requirements.txt index 198438a4d..c0fde1ff7 100644 --- a/dev_requirements/linter-requirements.txt +++ b/dev_requirements/linter-requirements.txt @@ -6,10 +6,8 @@ flake8-bugbear==22.9.11 flake8-docstrings==1.7.0 flake8-print==5.0.0 isort==5.11.4 -pbr==2.0.0 # needed due to to bandit pyflakes==2.4.0 pylint==2.13.5 readme_renderer==37.3 seed-isort-config==2.2.0 -setuptools==81.0.0 vulture==2.9.1 \ No newline at end of file diff --git a/dev_requirements/release-requirements.txt b/dev_requirements/release-requirements.txt index 6dfce7f94..21fdc1520 100644 --- a/dev_requirements/release-requirements.txt +++ b/dev_requirements/release-requirements.txt @@ -1,4 +1,4 @@ pypi-parker==0.1.2 -setuptools==70.0.0 -twine==5.1.1 +setuptools==66.1.1 +twine==4.0.1 wheel==0.38.4 \ No newline at end of file diff --git a/dev_requirements/test-requirements.txt b/dev_requirements/test-requirements.txt index d5cf285bc..260c63636 100644 --- a/dev_requirements/test-requirements.txt +++ b/dev_requirements/test-requirements.txt @@ -1,4 +1,4 @@ mock==4.0.3 -pytest==8.0.0 +pytest==7.2.1 pytest-cov==4.0.0 pytest-mock==3.6.1 \ No newline at end of file diff --git a/test/unit/test_compatability.py b/test/unit/test_compatability.py index fa258f8a2..80a2c9fa9 100644 --- a/test/unit/test_compatability.py +++ b/test/unit/test_compatability.py @@ -15,7 +15,7 @@ class TestWarnDeprecatedPython: def test_happy_version(self): with mock.patch.object(sys, "version_info") as v_info: v_info.major = 3 - v_info.minor = 8 + v_info.minor = 6 with pytest.warns(None) as record: _warn_deprecated_python() assert len(record) == 0 From e8a1140ed4d03a8303037b498a89b5bb22286207 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 14:49:07 -0700 Subject: [PATCH 08/13] m --- dev_requirements/linter-requirements.txt | 1 + test/unit/test_compatability.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/dev_requirements/linter-requirements.txt b/dev_requirements/linter-requirements.txt index c0fde1ff7..0c06a6667 100644 --- a/dev_requirements/linter-requirements.txt +++ b/dev_requirements/linter-requirements.txt @@ -6,6 +6,7 @@ flake8-bugbear==22.9.11 flake8-docstrings==1.7.0 flake8-print==5.0.0 isort==5.11.4 +pbr>=5.5.0 pyflakes==2.4.0 pylint==2.13.5 readme_renderer==37.3 diff --git a/test/unit/test_compatability.py b/test/unit/test_compatability.py index 80a2c9fa9..bd602c7cd 100644 --- a/test/unit/test_compatability.py +++ b/test/unit/test_compatability.py @@ -15,7 +15,7 @@ class TestWarnDeprecatedPython: def test_happy_version(self): with mock.patch.object(sys, "version_info") as v_info: v_info.major = 3 - v_info.minor = 6 + v_info.minor = 6 with pytest.warns(None) as record: _warn_deprecated_python() assert len(record) == 0 From 270b84143399c07d8a02e9eba42113f17fe80a3b Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 15:02:33 -0700 Subject: [PATCH 09/13] m --- .github/workflows/ci_test-vector-handler.yaml | 4 ++-- .github/workflows/ci_tests.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci_test-vector-handler.yaml b/.github/workflows/ci_test-vector-handler.yaml index 0d96def3e..5d7d0cfb1 100644 --- a/.github/workflows/ci_test-vector-handler.yaml +++ b/.github/workflows/ci_test-vector-handler.yaml @@ -19,7 +19,7 @@ jobs: os: - ubuntu-latest - windows-latest - - macos-12 + - macos-latest python: - 3.8 - "3.12" @@ -34,7 +34,7 @@ jobs: # x86 builds are only meaningful for Windows - os: ubuntu-latest architecture: x86 - - os: macos-12 + - os: macos-latest architecture: x86 steps: - uses: aws-actions/configure-aws-credentials@v4 diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index 9aa8b5f65..1fd8cc232 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -26,7 +26,7 @@ jobs: os: - ubuntu-latest - windows-latest - - macos-12 + - macos-latest python: - 3.8 - 3.9 @@ -47,7 +47,7 @@ jobs: # x86 builds are only meaningful for Windows - os: ubuntu-latest architecture: x86 - - os: macos-12 + - os: macos-latest architecture: x86 steps: - uses: actions/checkout@v4 From 926037c03599460905ead497f5688073744c7b18 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 15:09:12 -0700 Subject: [PATCH 10/13] m --- .github/workflows/ci_test-vector-handler.yaml | 2 ++ .github/workflows/ci_tests.yaml | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/ci_test-vector-handler.yaml b/.github/workflows/ci_test-vector-handler.yaml index 5d7d0cfb1..891935326 100644 --- a/.github/workflows/ci_test-vector-handler.yaml +++ b/.github/workflows/ci_test-vector-handler.yaml @@ -36,6 +36,8 @@ jobs: architecture: x86 - os: macos-latest architecture: x86 + - os: macos-latest + python: 3.8 steps: - uses: aws-actions/configure-aws-credentials@v4 with: diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index 1fd8cc232..8d0c42456 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -49,6 +49,11 @@ jobs: architecture: x86 - os: macos-latest architecture: x86 + - os: macos-latest + python: + - 3.8 + - 3.9 + - "3.10" steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 From 0e8ecd9ecc4a08b14b13efb702bd4dc5d5a0690e Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 15:10:51 -0700 Subject: [PATCH 11/13] m --- .github/workflows/ci_test-vector-handler.yaml | 1 - .github/workflows/ci_tests.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/ci_test-vector-handler.yaml b/.github/workflows/ci_test-vector-handler.yaml index 891935326..5ecdeda89 100644 --- a/.github/workflows/ci_test-vector-handler.yaml +++ b/.github/workflows/ci_test-vector-handler.yaml @@ -36,7 +36,6 @@ jobs: architecture: x86 - os: macos-latest architecture: x86 - - os: macos-latest python: 3.8 steps: - uses: aws-actions/configure-aws-credentials@v4 diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index 8d0c42456..8257334b0 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -49,7 +49,6 @@ jobs: architecture: x86 - os: macos-latest architecture: x86 - - os: macos-latest python: - 3.8 - 3.9 From 0aacf846f2fe34965ec6046a15ab69f8fe388b1e Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 15:15:18 -0700 Subject: [PATCH 12/13] m --- .github/workflows/ci_test-vector-handler.yaml | 1 + .github/workflows/ci_tests.yaml | 11 +++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci_test-vector-handler.yaml b/.github/workflows/ci_test-vector-handler.yaml index 5ecdeda89..891935326 100644 --- a/.github/workflows/ci_test-vector-handler.yaml +++ b/.github/workflows/ci_test-vector-handler.yaml @@ -36,6 +36,7 @@ jobs: architecture: x86 - os: macos-latest architecture: x86 + - os: macos-latest python: 3.8 steps: - uses: aws-actions/configure-aws-credentials@v4 diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index 8257334b0..864c14ed0 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -49,10 +49,13 @@ jobs: architecture: x86 - os: macos-latest architecture: x86 - python: - - 3.8 - - 3.9 - - "3.10" + # Skip older Python versions on macOS + - os: macos-latest + python: 3.8 + - os: macos-latest + python: 3.9 + - os: macos-latest + python: "3.10" steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 From 6f065acf8aa99489d98d5aaf426dc288c26be251 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 17 Apr 2026 15:26:23 -0700 Subject: [PATCH 13/13] m --- .github/workflows/ci_decrypt-oracle.yaml | 9 ++-- .github/workflows/ci_static-analysis.yaml | 9 ++-- .github/workflows/ci_test-vector-handler.yaml | 12 +++-- .github/workflows/ci_tests.yaml | 6 +-- .github/workflows/daily_ci.yml | 50 +++++++++++++++++++ .github/workflows/pull.yml | 41 +++++++++++++++ .github/workflows/push.yml | 25 ++++++++++ 7 files changed, 132 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/daily_ci.yml create mode 100644 .github/workflows/pull.yml create mode 100644 .github/workflows/push.yml diff --git a/.github/workflows/ci_decrypt-oracle.yaml b/.github/workflows/ci_decrypt-oracle.yaml index baf01c571..c56e43a63 100644 --- a/.github/workflows/ci_decrypt-oracle.yaml +++ b/.github/workflows/ci_decrypt-oracle.yaml @@ -1,11 +1,10 @@ name: Continuous Integration tests for the decrypt oracle on: - pull_request: - push: - # Run once a day - schedule: - - cron: '0 0 * * *' + workflow_call: + +permissions: + contents: read jobs: tests: diff --git a/.github/workflows/ci_static-analysis.yaml b/.github/workflows/ci_static-analysis.yaml index 7f74e8fc3..37a5e0cf3 100644 --- a/.github/workflows/ci_static-analysis.yaml +++ b/.github/workflows/ci_static-analysis.yaml @@ -1,11 +1,10 @@ name: Static analysis checks on: - pull_request: - push: - # Run once a day - schedule: - - cron: '0 0 * * *' + workflow_call: + +permissions: + contents: read jobs: analysis: diff --git a/.github/workflows/ci_test-vector-handler.yaml b/.github/workflows/ci_test-vector-handler.yaml index 891935326..3d5aceaed 100644 --- a/.github/workflows/ci_test-vector-handler.yaml +++ b/.github/workflows/ci_test-vector-handler.yaml @@ -1,11 +1,13 @@ name: Continuous Integration tests for the test vector handler on: - pull_request: - push: - # Run once a day - schedule: - - cron: '0 0 * * *' + workflow_call: + # Define any secrets that need to be passed from the caller + secrets: + INTEG_AWS_ACCESS_KEY_ID: + required: true + INTEG_AWS_SECRET_ACCESS_KEY: + required: true jobs: tests: diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index 864c14ed0..0a53cace4 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -1,11 +1,7 @@ name: Continuous Integration tests on: - pull_request: - push: - # Run once a day - schedule: - - cron: '0 0 * * *' + workflow_call: env: AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: | diff --git a/.github/workflows/daily_ci.yml b/.github/workflows/daily_ci.yml new file mode 100644 index 000000000..09edf3c40 --- /dev/null +++ b/.github/workflows/daily_ci.yml @@ -0,0 +1,50 @@ +# This workflow runs every weekday at 15:00 UTC (8AM PDT) +name: Daily CI + +on: + schedule: + - cron: "00 15 * * 1-5" + pull_request: + paths: + .github/workflows/daily_ci.yml + +permissions: + contents: read + id-token: write + +jobs: + decrypt_oracle: + # Don't run the cron builds on forks + if: github.event_name != 'schedule' || github.repository_owner == 'aws' + uses: ./.github/workflows/ci_decrypt-oracle.yaml + static_analysis: + # Don't run the cron builds on forks + if: github.event_name != 'schedule' || github.repository_owner == 'aws' + uses: ./.github/workflows/ci_static-analysis.yaml + test_vector_handler: + # Don't run the cron builds on forks + if: github.event_name != 'schedule' || github.repository_owner == 'aws' + uses: ./.github/workflows/ci_test-vector-handler.yaml + secrets: + INTEG_AWS_ACCESS_KEY_ID: ${{ secrets.INTEG_AWS_ACCESS_KEY_ID }} + INTEG_AWS_SECRET_ACCESS_KEY: ${{ secrets.INTEG_AWS_SECRET_ACCESS_KEY }} + tests: + # Don't run the cron builds on forks + if: github.event_name != 'schedule' || github.repository_owner == 'aws' + uses: ./.github/workflows/ci_tests.yaml + + notify: + needs: + [ + decrypt_oracle, + static_analysis, + test_vector_handler, + tests + ] + if: ${{ failure() }} + uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main + with: + message: "Daily CI failed on `${{ github.repository }}`. View run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + secrets: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_CI }} + diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml new file mode 100644 index 000000000..ca5899359 --- /dev/null +++ b/.github/workflows/pull.yml @@ -0,0 +1,41 @@ +name: Pull Request Workflow + +on: + pull_request: + +# Concurrency control helps avoid CodeBuild throttling. +# When new commits are pushed, the previous workflow run is cancelled. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + id-token: write + contents: read + +jobs: + # Call each workflow with appropriate parameters + decrypt_oracle: + uses: ./.github/workflows/ci_decrypt-oracle.yaml + static_analysis: + uses: ./.github/workflows/ci_static-analysis.yaml + test_vector_handler: + uses: ./.github/workflows/ci_test-vector-handler.yaml + secrets: + INTEG_AWS_ACCESS_KEY_ID: ${{ secrets.INTEG_AWS_ACCESS_KEY_ID }} + INTEG_AWS_SECRET_ACCESS_KEY: ${{ secrets.INTEG_AWS_SECRET_ACCESS_KEY }} + tests: + uses: ./.github/workflows/ci_tests.yaml + pr-ci-all-required: + if: always() + needs: + - decrypt_oracle + - static_analysis + - test_vector_handler + - tests + runs-on: ubuntu-22.04 + steps: + - name: Verify all required jobs passed + uses: re-actors/alls-green@release/v1 + with: + jobs: ${{ toJSON(needs) }} \ No newline at end of file diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 000000000..2832513e3 --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,25 @@ +name: Push Workflow + +on: + push: + branches: master + +permissions: + id-token: write + contents: read + +jobs: + decrypt_oracle: + uses: ./.github/workflows/ci_decrypt-oracle.yaml + + static_analysis: + uses: ./.github/workflows/ci_static-analysis.yaml + + test_vector_handler: + uses: ./.github/workflows/ci_test-vector-handler.yaml + secrets: + INTEG_AWS_ACCESS_KEY_ID: ${{ secrets.INTEG_AWS_ACCESS_KEY_ID }} + INTEG_AWS_SECRET_ACCESS_KEY: ${{ secrets.INTEG_AWS_SECRET_ACCESS_KEY }} + + tests: + uses: ./.github/workflows/ci_tests.yaml \ No newline at end of file